Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Kerio VPN Tunnel & Dial in
  •  
amin1356

Messages: 19
Karma: 0
Send a private message to this user
Hi everybody,
I run windows 2003 RRAS (only VPN without NAT)on my Kerio control first server and my clients use windows PPTP VPN to connect to this Kerio server. Also in this server I create a VPN Tunnel to second Kerio Control server which is located in the USA. Now I want my Dial in (PPTP) users to use the internet of USA Kerio control server instead of internet of the first Kerio control server.

Is there any solution for this issue?
Best Regard,
  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
It should be possible to provide your dial-in users a simple PPP connection and then let them PPTP to any point in your network. If you meant VPN users instead of dial-in, then you should be able to use port forwarding or set the PPTP destination to the USA Control server.

Without more knowledge of your network, it is hard to be more precise. I'm sure there are more complications that prevent what appear to be simple adjustments.
  •  
amin1356

Messages: 19
Karma: 0
Send a private message to this user
Dear silars (and other users),
Thanks for your reply an attention.
My Scenario is as follow:

I have two Kerio servers in two data centers in different countries.

On server 1 I have these items:
- I have installed Windows 2003 Enterprise Edition
- I have configured RRAS (Routing and Remote Access Server) to accept PPTP/L2TP VPN connections (Only VPN without NAT)
- I have installed Kerio 7.2.2 and configured the Traffic Rules to allow incoming PPTP/L2TP VPN connections (via windows 2003 RRAS) and NAT them (Dial in connections) to the internet.

On server 2 I have installed Kerio 8.0.1

I have connected the two servers via Kerio VPN tunnel.

when I connect to server 1 via PPTP or L2TP, Kerio detect these connections as a Dial in and NAT them to the internet (via server 1) and everything is ok.

Now I want these PPTP or L2TP connections that connect to the server 1, NAT to the internet via server 2 not via server 1 (server 1 and server 2 are connected to each other via VPN tunnel).

Please let me know which configuration should I do on the servers that my requested scenario work.

(Hope that I could explain my request well).

Best Regards,

[Updated on: Wed, 01 May 2013 22:51]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
I believe you have two easy options:

1. Transition from PPTP/L2TP to IPsec VPNs and enable the IPsec VPN server on Server 2. This could be hard depending on the remote device capabilities and administration.

2. Double-NAT. Setup your traffic policies to NAT PPTP/L2TP users towards Server 2 from Server 1. Depending on your control policies this may be impossible (you'll lose per-IP information during the first NAT). If you need to handle individual dial-in users differently, this won't work.

Harder options would be to look into altering your default routing, adding Policy-based Routing with an external device, or moving your RRAS function behind Server 2.
  •  
amin1356

Messages: 19
Karma: 0
Send a private message to this user
Dear Silars,
Thanks for your reply.

Regarding to your two easy options please find my answers as follow:

Option 1: This option is not useful for me because the PPTP/L2TP Ports are blocked in our country for connecting to the IPs in other contries (server 2). PPTP/L2TP Ports are open Only for the IP range within the country (where the server 1 is also located). But Kerio VPN port is ok.

Option 2: If I understand correctly you mean I create traffic policies in server 1 as below:
Source --> Dial-In
Destination --> Internet interfaces
Service --> Any
Action --> Allow
Translation --> NAT (Use specific IP address) [IP Address: (The IP address of server 2)]
Then what traffic policies should I create on server 2?
It is not important for me if I lose per-IP information during the first NAT. I don't need to handle individual dial-in users differently. The only important thing is that PPTP/L2TP (Dial-In) users routed to server 2 and use the internet of server 2.

Regarding your two harder options:

Option 1: How can I altering my default routing, adding Policy-based Routing with an external device? would you please explain more?

Option 2: Again because of PPTP/L2TP ports blocking, I can not move my RRAS function behind Server 2.

Best Regards,

[Updated on: Fri, 03 May 2013 00:15]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Looking at how Kerio Control handles the tunnels, I'm not sure you'll be able to do this with Control alone. Control doesn't expose the tunnels as interfaces, so the NAT'ing trick doesn't appear to work.

The only hope for Option 2 to work is to do as you described, but NAT (Use specific IP address) [IP Address: (The IP address of the Server 1 tunnel address). Control might be smart enough to realize you are trying to force traffic down the Kerio VPN tunnel. I'm not sure I'd bet any money on this working.

However, there might be some tricks you can play using RRAS. This also turns the Windows Server into a router. You could try building a L2TP tunnel over the Kerio VPN Tunnel. This should allow you to expose Server 2 as a potential default gateway to your PPTP users.

Though, this is likely to get more complicated as you go along. The idea is somehow either force (Policy route) PPTP traffic to Server 2, or make Server 2 appear like a next hop option.
  •  
amin1356

Messages: 19
Karma: 0
Send a private message to this user
Looking at how Kerio Control handles the tunnels, I'm not sure you'll be able to do this with Control alone. Control doesn't expose the tunnels as interfaces, so the NAT'ing trick doesn't appear to work.
Yes you are right, Control doesn't expose the tunnels as interfaces!


The only hope for Option 2 to work is to do as you described, but NAT (Use specific IP address) [IP Address: (The IP address of the Server 1 tunnel address). Control might be smart enough to realize you are trying to force traffic down the Kerio VPN tunnel. I'm not sure I'd bet any money on this working.
I tested this option also with all possible settings but doesn't work!

However, there might be some tricks you can play using RRAS. This also turns the Windows Server into a router. You could try building a L2TP tunnel over the Kerio VPN Tunnel. This should allow you to expose Server 2 as a potential default gateway to your PPTP users.
I don't know how to do this tricks!

Though, this is likely to get more complicated as you go along. The idea is somehow either force (Policy route) PPTP traffic to Server 2, or make Server 2 appear like a next hop option.
Yes but which policy route should I create?!

What about custom routes in VPN Tunnel Properties, should it be useful for my scenario?:

http://0098.dyndns.org/route1.jpg

I added the following custom routes in server 1 which send all traffic to VPN Tunnel, by this action my scenario works and the connected PPTP/L2TP users that connected to the server 1 force to use the internet of server 2 but the problem is that after adding these custom routes, server 1 would not be accessible any more and no more PPTP/L2TP connection could be establish to the server 1!:

http://0098.dyndns.org/route2.jpg

[Updated on: Fri, 03 May 2013 10:40]

  •  
silars

Messages: 429
Karma: 59
Send a private message to this user
Yes, this is what I was meaning by it likely getting more complicated.

The default route change has to be done in two steps. The first step is to define routes that point back to your PPTP users. Once you do this, then you can change the default route to Server 2. This if often more complicated than the other fixes due to having to install a large route table to account for all PPTP users.

The Policy-based Routing idea won't work unless you add some software that understands the ability to route on other criteria other than destination network/mask. What you want is routing based on source IP + dest IP.

Another easy concept is to add another Kerio Control instance (server/VM/etc.) to handle the VPN Tunnel and PPTP users. So, one Control for Ingress PPTP, one for Egress PPTP. You'll want to DHCP the PPTP users so that they use the Egress PPTP Control as the default gateway.

You'll also need to make a few route changes. You'll need to make the tunnel the default route, but you also need to make sure the Control route table has Server 2 tunnel endpoint network installed on the proper interface.

As you can see this is getting progressively complicated. We may have to resort to drawings. Unless someone else comes up with a clever idea.
Previous Topic: Remote restart of Kerio Control Appliance
Next Topic: api or plugin for read user pass from sql
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sat Oct 21 14:20:18 CEST 2017

Total time taken to generate the page: 0.00473 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.